Nothing Special   »   [go: up one dir, main page]

US7577833B2 - Apparatus and method for high speed IPSec processing - Google Patents

Apparatus and method for high speed IPSec processing Download PDF

Info

Publication number
US7577833B2
US7577833B2 US11/429,540 US42954006A US7577833B2 US 7577833 B2 US7577833 B2 US 7577833B2 US 42954006 A US42954006 A US 42954006A US 7577833 B2 US7577833 B2 US 7577833B2
Authority
US
United States
Prior art keywords
packet data
ipsec
buffer
processed
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime, expires
Application number
US11/429,540
Other versions
US20060265585A1 (en
Inventor
Yi-Sern Lai
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
A10 Networks Inc
Original Assignee
Industrial Technology Research Institute ITRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial Technology Research Institute ITRI filed Critical Industrial Technology Research Institute ITRI
Priority to US11/429,540 priority Critical patent/US7577833B2/en
Publication of US20060265585A1 publication Critical patent/US20060265585A1/en
Application granted granted Critical
Publication of US7577833B2 publication Critical patent/US7577833B2/en
Assigned to A10 NETWORKS, INC.-TAIWAN reassignment A10 NETWORKS, INC.-TAIWAN ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INDUSTRIAL TECHNOLOGY RESEARCH INSTITUTE
Assigned to A10 NETWORKS, INC. reassignment A10 NETWORKS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: A10 NETWORKS, INC.-TAIWAN
Assigned to A10 NETWORKS, INC. reassignment A10 NETWORKS, INC. CHANGE OF ADDRESS Assignors: A10 NETWORKS, INC.
Assigned to ROYAL BANK OF CANADA, AS COLLATERAL AGENT reassignment ROYAL BANK OF CANADA, AS COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: A10 NETWORKS, INC.
Adjusted expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the invention relates to an IPSec Processor and, in particular, to a mechanism for a high speed IPSec processing.
  • IP Security (IPSec) apparatuses are used to secure the information propagated in a public network.
  • IPSec apparatus may have their processing throughput covering quite a wide range from an order of hundred kilobits-per-second to several Gigabits-per-second.
  • WDM and Gigabit Ethernet stimulate the network bandwidth from Megabits to Gigabits per second.
  • FIG. 1 shows a block diagram of a conventional IPSec system structure.
  • the IPSec system consists of a CPU 100 , a Memory 110 , and an Accelerator 120 .
  • the IPSec Accelerator 120 is employed only to reduce the CPU 100 computation load in 3DES and HMAC operations.
  • the CPU 100 has to take care of all other functions, including the parsing, packet classification, database maintenance, pre-operation (e.g. packet forming and trailer making), post operation, packet IO, and the IP layer processing (e.g. fragmentation re-assembly).
  • it has to form a context for the IPSec accelerator.
  • the throughput is very limit due to a big overhead described above.
  • the transfer speed is also limited by the rise time of the Memory 110 and thereof a long CPU read/write cycle. It is the easiest way to implement, whereas the system performance is quite low even employing a high-speed accelerator.
  • FIG. 2 shows a conventional IPSec processor with an embedded CPU and Memory, which is an extension of the IPSec system shown in FIG. 1 .
  • An IPSec processor is constructed of an embedded CPU 200 , an embedded Memory 210 , and an accelerator (or Crypto Engine 220 ). It does increase the transfer speed due to a higher data transfer rate. Yet, it has to deal with the big overhead as described above. Hence, it is still difficult to achieve a very high throughput of like Gigabits per second.
  • FIG. 3 shows the traditional pipeline concept. Packets are delivered through n stations, which deal with packet input, making trailer, header making/modifying, operation, post operation, and packet output respectively.
  • the pipeline expedites the processing speed by making all the stations busy; a station works on the outputs of its previous station as soon as it is available.
  • IP security devices are employed to enhance the performance. This disclosure is particularly directed to a device and method, which causes high performance in IPSec processing.
  • This invention provides an IPSec processor that processes IP packets according to the IP security protocols at a high throughput.
  • the preferred embodiment of the present invention provide an External IN Buffer, an External OUT Buffer, a Parser, a Classification unit, a Database, a Database Manager, and one or more IPSec Cores.
  • the IPSec processor is composed of an inbound IPSec processor and an outbound IPSec processor.
  • the outbound IPSec processor processes packets going from the LAN to WAN and the inbound IPSec processor processes packets traveling from WAN to LAN.
  • the inbound and outbound processors are independent of each other and the processing mechanisms for these two are different.
  • the block diagram is the same.
  • the External IN Buffer is used for storing the input packet data.
  • the External OUT Buffer is for storing the processed packet data to be outputted.
  • the Parser parses parameters from the IP header, AH header, ESP header, or transport layer header for classification.
  • the Classification unit looks up a security policy (SP) for outbound service and security association (SA) for inbound service.
  • the Database contains the security associations and security policies.
  • the Database manager maintains the database.
  • the IPSec Core is used for executing IPSec processing, the Pre_Operation, crypto operation, and Post_O
  • the IPSec Core further comprises two BUSes (BUS_A and BUS_B), two buffers (Buffer A and Buffer B), two multiplexes (MUX A and MUX B) in two modules (Module A and Module B) separately, and an Encryption Engine, an Authentication Engine, an Output FIFO, a Device unit, and a Control Unit.
  • the two buffers are used for storing packet data and SA data, one for each module respectively.
  • Two Multiplexers allow one of data sources to enter their associated buffers.
  • the Encryption Engine performs encryption operation for outbound service and decryption for inbound service.
  • the Authentication Engine performs digest calculation.
  • the output FIFO balances the output between the internal and the external.
  • the Device unit provides miscellaneous calculations.
  • the Control Unit controls the whole IPSec Core.
  • the Control Unit further comprises two sequence controllers (Control_A and Control_B), an Input controller, a Pre_Operation controller, an operation controller (including a Encryption controller and an Authentication controller), a Post_Operation controller, and an Output controller.
  • the two sequence controllers provide processing sequence one for each module.
  • the Input controller controls the packet data and SA information inputted to its associated buffer.
  • the Pre_Operation controller prepares data for crypto operation.
  • the Encryption controller controls data transfer between Encryption Engine and buffer.
  • the Authentication controller controls the data transfer between the Authentication Engine and buffer.
  • the Post_Operation controller deals with those affairs after crypto operation.
  • the Output controller controls packet outputting from buffer to the output FIFO.
  • the second objective of this invention is to provide a method to enhance the performance by using a new architecture, which allows a more efficient pipeline proceeding and parallel processing.
  • the IPSec Core can be duplicated so that inputted packets can be processed in parallel. It deals with total IPSec processing, namely, Pre_Operation, operation, and Post_Operation. Because the interface is very simple, it is feasible for duplication.
  • Another aspect of this invention is the IPSec architecture. Accordingly, the IPSec Core uses a sharing structure, with which the two modules share resource with each other. Each module comprises a buffer, a sequence controller, a MUX, and a BUS. The two modules can deal with two different packets at a time, one for a packet and the other for another packet.
  • the two modules cannot both perform any one of input, Pre_Operation, Post_Operation, encryption, authentication, and output at the same time, however, it allows that one module performs encryption and the other authentication at the same time.
  • the IPSec Core supports three types of operation, the encryption, authentication, and both encryption and authentication operations.
  • the sequence controller chains the encryption and the authentication operations together by controlling data transfer from buffer to the Encryption engine and to the Authentication engine; data transferred to the Authentication engine steals the bus transfer cycle of from buffer to the Encryption engine. Therefore, encryption and authentication can be operated simultaneously for a packet in any one of the two modules.
  • the final objective of this invention is to provide new features for hardware base implementation.
  • the IPSec Core allows the processing of the bundled SA case.
  • the sequence controller continues the processes for the bundled SA without moving the processed results regarding the previous SA. Because the IPSec Core allows an early verification of the inbound packet, it does not need to perform the verification after the finish of decryption operation. Finally, the IPSec Core does not need an additional context to have crypto operation done.
  • FIG. 1 is a block diagram of a conventional IPSec system structure
  • FIG. 2 is an conventional IPSec processor with an embedded CPU
  • FIG. 3 is a traditional pipeline concept
  • FIG. 4 is a block diagram of an inbound or outbound IPSec processor according to one preferred embodiment of the present invention.
  • FIG. 5 is a block diagram of the IPSec Core of the preferred embodiment of the present invention in FIG. 4 ;
  • FIG. 6 is a function block of the Control Unit according to the preferred embodiment of the present invention shown in FIG. 5 .
  • the IPSec processor consists of an inbound IPSec processor and an outbound IPSec processor.
  • FIG. 4 shows the block diagram of the inbound or outbound IPSec processor.
  • the inbound or outbound IPSec processor consists of a Parser 400 , a Classification unit 410 , a Database Manager 420 , a Database 430 , an External IN Buffer 440 , an External OUT Buffer 450 , and several IPSec Cores 460 .
  • Database 430 includes SAD (security associate database) and SPD (security policy database).
  • the Parser 400 parses parameters from the input packet data, and forwards those parameters to the Classification unit 410 .
  • the Classification unit 410 looks up a policy with those parameters, deciding to discard, bypass, or apply the IPSec processing.
  • the associated packet, stored in the External IN Buffer 440 is neglected for the “discard” case. That packet is bypassed to the External OUT buffer 450 for the “bypass” case. Finally, that packet and its associated SA are forwarded from the External IN Buffer 440 and database respective to one of IPSec Cores 460 for the “applied” case. Packets stored in the External IN Buffer 440 , whose output is paged to several IPSec Cores 460 .
  • the External OUT Buffer 450 receives outputs of individual IPSec Cores 460 for external access.
  • a Database Manager 420 is used to maintain the security policy database (SPD) and the security association database (SAD).
  • a packet is processed in the sequence of: parsing, classification, transferring packet/SA data to an IPSec Core 460 .
  • the IPSec Core 460 takes care of packet input, pre_operation, IPSec operation, post_operation, packet output, and data buffering. Packets are distributed to IPSec cores 460 as soon as they are available so that those packets can be processed in parallel.
  • a packet will be processed according to its given SA(s).
  • the processed packets are delivered to the External OUT Buffer 450 .
  • the delivery follows the “First come first serve” principle. For a bundle-SA case, a processed packet can outputted only after the process, regarding all the bundled SAs is done.
  • the IPSec Core 460 has a simple IO interface; it contains two input ports for packet input and the other for SA input and one output port for processed packet output.
  • the inputs and output are regular synchronous IO design. It is very easy to duplicate the IPSec Cores 460 and therefore able to enhance the performance, due to a simple IO interface and easy access timings.
  • FIG. 5 shows the block diagram of the IPSec Core 460 in FIG. 4 .
  • the IPSec Core 460 is composed of an Encryption Engine 500 , an Authentication Engine 510 , a Device unit 520 , an Output FIFO 530 , two buffers—Buffer A 540 a and Buffer B 540 b , two MUXes-MUX A 550 a and MUX B 550 b , and a Control Unit 560 .
  • the Device 520 unit responds for checksum calculation, random number generation, mutable bits calculation, length calculations, reference pointer calculations, temp information storage . . . and so on.
  • the Control Unit 560 controls the programming sequence, which directs data transfers.
  • peripheral means it could be an engine, an Output FIFO 530 , or a Device 520 .
  • BUS A 570 a is used for data transfers from Buffer A 540 a to a peripheral.
  • MUX A 550 a selects one path to write data from a peripheral to Buffer A 540 a .
  • data are read from Buffer A 540 a and written to the same address via BUS A 570 a and MUX A 550 a.
  • the Control Unit 560 conducts IPSec processing as follows: A packet together with its associated SA(s) is inlet into Buffer A 540 a . The Control Unit 560 then conducts packet forming (header making, trailer making, and form an IPSec packet) according to the acquired SA information. A formed packet is then delivered to the Encryption Engine 500 or Authentication Engine 510 . For AH mode, one has to perform muting on the IP header and option field. For ESP mode, part of the formed packet is delivered to the Encryption Engine 500 and/or Authentication Engine 510 . The encrypted results are stored back to their original place. Packet output are going on thereafter.
  • the Authentication Engine 510 accesses the ciphered data, which have been stored in buffer.
  • the packet data is kept in the buffer for waiting when the packet data needs authentication (encryption) but the Authentication Engine 510 (or Encryption Engine 500 ) is not available.
  • the sequence controller chains the encryption and the authentication operation together by controlling the data transfer from buffer to the Encryption engine and to the Authentication engine.
  • the Module B works in the same way that the Module A does. These two modules cooperate with each other to gain a higher performance. The cooperation retains the pipeline spirit. However, it does not act like the traditional pipeline. It may be more appropriate to call the cooperation “sharing”.
  • the packet For the inbound service, one has to verify the packet to see if it is a fake one. Five parameters are used for verification, including protocol, source address, destination address, and port numbers. The formal three items are in the IP header and the last item is in the TCP/IP header. One got to decrypt the received packet, reducing to its original values, from which we can access those the five parameters for verification.
  • the traditional pipeline one has to do the verification in the Post_Operation. In other words, one has wait until the whole decryption is done. Accordingly, the triple DES operation is the bottleneck of the whole process and packets may be as long as fifteen hundred bytes. This wastes a lot of time to operate on illegal packets. In our design, we can perform such a verification right after the decryption of the TCP/UDP header.
  • FIG. 6 shows the Control Unit 560 in FIG. 5 .
  • the Control Unit 560 is composed of eight sub-units.
  • the spotted blocks are finite state machines, which control the processing order while the rectangular ones are individual control functions.
  • Each control function uses a finite state machine to drive a DMA (Direct Memory Access) for data transferring.
  • DMA Direct Memory Access
  • Each oval-shaped ones stands for a specific state, which will call one or two functions as indicated.
  • Two Sequence controllers, the Control_A 600 a and Control_B 600 b share the rectangular-shaped functions with each other. We call it a sharing structure.
  • the processing flow is described as below:
  • a packet is allowed to enter the IPSec Core only when one of the sequence controllers is in the Input State such that it can call the Input function. Packet data are guided to sit on the buffer.
  • a packet demands an additional SA service for the bundle SA case, the packet has to experience additional Pre_Operation, Operation and Post_Operation. That packet can't be outputted until finishing all the processes associated with the last SA.
  • This structure allows one sequence controller calls Encryption 630 and the other calls Authentication 640 at the same time.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An IPSec processor is a network security device. It is designed primary for an environment requesting for a throughput of Gigabits per second. By using a new architecture, the parallel processing and pipeline processing become more efficient, thereof higher performance. An IPSec Core in the IPSec processor employs the sharing structure, which raise the utility of the Encryption Engine and Authentication Engine. Moreover, the IPSec Core can be duplicated, allowing a parallel processing. Because the IPSec Core deals with IPSec processing, the Pre_Operation, operation, and post_operation, it becomes a complete set of processing unit and easy for duplicating. In addition, several features have been created for a hardware base implementation, including the processing of the bundled SA case, early verification of the packet, and no need to build an additional context in order to perform a crypto operation.

Description

CROSS-REFERENCE TO RELATED APPLICATION
This application is a divisional of U.S. patent application Ser. No. 10/225,027, filed Aug. 21, 2002 now abandoned.
BACKGROUND OF THE INVENTION
1. Field of Invention
The invention relates to an IPSec Processor and, in particular, to a mechanism for a high speed IPSec processing.
2. Related Art
IP Security (IPSec) apparatuses are used to secure the information propagated in a public network. Several applications, including Virtual Private Network (VPN) and cable modem, have adopted IPSec as a standard for their own security purpose. IPSec apparatus may have their processing throughput covering quite a wide range from an order of hundred kilobits-per-second to several Gigabits-per-second. There are several solutions for the IPSec apparatuses. One may use a full-software solution. The software solution works fine except the performance was only about 1M bits per second or even lower, which is really too slow. This is almost not acceptable especially in the network blooming era. The development of WDM and Gigabit Ethernet stimulate the network bandwidth from Megabits to Gigabits per second.
FIG. 1 shows a block diagram of a conventional IPSec system structure. The IPSec system consists of a CPU 100, a Memory 110, and an Accelerator 120. Here, the IPSec Accelerator 120 is employed only to reduce the CPU 100 computation load in 3DES and HMAC operations. The CPU 100 has to take care of all other functions, including the parsing, packet classification, database maintenance, pre-operation (e.g. packet forming and trailer making), post operation, packet IO, and the IP layer processing (e.g. fragmentation re-assembly). In addition, it has to form a context for the IPSec accelerator. The throughput is very limit due to a big overhead described above. The transfer speed is also limited by the rise time of the Memory 110 and thereof a long CPU read/write cycle. It is the easiest way to implement, whereas the system performance is quite low even employing a high-speed accelerator.
FIG. 2 shows a conventional IPSec processor with an embedded CPU and Memory, which is an extension of the IPSec system shown in FIG. 1. An IPSec processor is constructed of an embedded CPU 200, an embedded Memory 210, and an accelerator (or Crypto Engine 220). It does increase the transfer speed due to a higher data transfer rate. Yet, it has to deal with the big overhead as described above. Hence, it is still difficult to achieve a very high throughput of like Gigabits per second.
FIG. 3 shows the traditional pipeline concept. Packets are delivered through n stations, which deal with packet input, making trailer, header making/modifying, operation, post operation, and packet output respectively. The pipeline expedites the processing speed by making all the stations busy; a station works on the outputs of its previous station as soon as it is available. However, there are two problems:
    • 1) A packet has to check in and check out of anyone of the stations. Hence, one is in want of additional buffers to get things done. It also takes time to check in and check out.
    • 2) It takes extra time to feedback the data to the beginning state for an SA (security association) bundled case; one has to process the very packet again and needs feedback the data for the bundled SA processing.
In the prior arts, several copies of accelerators (or Crypto Engine 220) could be duplicated such that the Crypto Engine 220 gains a high performance capability. Namely, the parallel technique is involved in that design. That is what current commercial products do in order to increase the IPSec processing performance. Some advanced commercial products add a few features like checksum and mutable bits processing, in their devices. There are however several drawbacks for this kind of the parallel processing:
    • 1) It's very time consuming or even difficult to deal with a bundled SA case, since the whole packet has to be fed back for the bundled SA; it has to repeat the processes from parsing, classification . . . to output.
    • 2) Crypto Engine 220 utility is not high. Accordingly, the Crypto Engine 220 has to deal with encryption, authentication, and encryption plus authentication. The encryption engine and authentication engine are chained together to provide all the three service styles. Hence, the whole Crypto Engine 220 can service one packet with one of three service styles; it can not service two packet at a time. A “collision” problem also causes a reduction of the utility of Crypto Engines 220. When two Crypto Engines 220 finish their job at about the same time, one of the Crypto Engines 220 has to output after the other. No input is allowed before the complete of output, therefore no input is allowed for both of the two engines and one of them has to idle even longer.
    • 3) The control is complicated. Firstly, one needs to build up a context for the Crypto Engine 220 (or accelerator). Secondly, the post processing causes an extra effort.
    • 4) It is not efficient to verify the authenticity of incoming packets one can do verification only after the crypto operation is completed. Since the crypto operation is the bottleneck of the whole process. It may take long time to perform a decryption operation while the packet is turned out to be a fake one.
    • 5) The bottleneck may switch to the pre-operation, which includes packet forming and context making. Seeing that crypto engines could be duplicated as many as you want while the pre-operation is alone.
SUMMARY OF THE INVENTION
Depending on the throughput requirement for a specific application, IP security devices are employed to enhance the performance. This disclosure is particularly directed to a device and method, which causes high performance in IPSec processing.
This invention provides an IPSec processor that processes IP packets according to the IP security protocols at a high throughput.
To realize the above objective, the preferred embodiment of the present invention provide an External IN Buffer, an External OUT Buffer, a Parser, a Classification unit, a Database, a Database Manager, and one or more IPSec Cores.
The IPSec processor is composed of an inbound IPSec processor and an outbound IPSec processor. The outbound IPSec processor processes packets going from the LAN to WAN and the inbound IPSec processor processes packets traveling from WAN to LAN. The inbound and outbound processors are independent of each other and the processing mechanisms for these two are different. However, the block diagram is the same. The External IN Buffer is used for storing the input packet data. The External OUT Buffer is for storing the processed packet data to be outputted. The Parser parses parameters from the IP header, AH header, ESP header, or transport layer header for classification. The Classification unit looks up a security policy (SP) for outbound service and security association (SA) for inbound service. The Database contains the security associations and security policies. The Database manager maintains the database. Finally, the IPSec Core is used for executing IPSec processing, the Pre_Operation, crypto operation, and Post_Operation.
The IPSec Core further comprises two BUSes (BUS_A and BUS_B), two buffers (Buffer A and Buffer B), two multiplexes (MUX A and MUX B) in two modules (Module A and Module B) separately, and an Encryption Engine, an Authentication Engine, an Output FIFO, a Device unit, and a Control Unit. The two buffers are used for storing packet data and SA data, one for each module respectively. Two Multiplexers allow one of data sources to enter their associated buffers. The Encryption Engine performs encryption operation for outbound service and decryption for inbound service. The Authentication Engine performs digest calculation. The output FIFO balances the output between the internal and the external. The Device unit provides miscellaneous calculations. Finally the Control Unit controls the whole IPSec Core. The Control Unit further comprises two sequence controllers (Control_A and Control_B), an Input controller, a Pre_Operation controller, an operation controller (including a Encryption controller and an Authentication controller), a Post_Operation controller, and an Output controller. The two sequence controllers provide processing sequence one for each module. The Input controller controls the packet data and SA information inputted to its associated buffer. The Pre_Operation controller prepares data for crypto operation. The Encryption controller controls data transfer between Encryption Engine and buffer. The Authentication controller controls the data transfer between the Authentication Engine and buffer. The Post_Operation controller deals with those affairs after crypto operation. Finally, the Output controller controls packet outputting from buffer to the output FIFO.
The second objective of this invention is to provide a method to enhance the performance by using a new architecture, which allows a more efficient pipeline proceeding and parallel processing. The IPSec Core can be duplicated so that inputted packets can be processed in parallel. It deals with total IPSec processing, namely, Pre_Operation, operation, and Post_Operation. Because the interface is very simple, it is feasible for duplication. Another aspect of this invention is the IPSec architecture. Accordingly, the IPSec Core uses a sharing structure, with which the two modules share resource with each other. Each module comprises a buffer, a sequence controller, a MUX, and a BUS. The two modules can deal with two different packets at a time, one for a packet and the other for another packet. The two modules cannot both perform any one of input, Pre_Operation, Post_Operation, encryption, authentication, and output at the same time, however, it allows that one module performs encryption and the other authentication at the same time. The IPSec Core supports three types of operation, the encryption, authentication, and both encryption and authentication operations. The sequence controller chains the encryption and the authentication operations together by controlling data transfer from buffer to the Encryption engine and to the Authentication engine; data transferred to the Authentication engine steals the bus transfer cycle of from buffer to the Encryption engine. Therefore, encryption and authentication can be operated simultaneously for a packet in any one of the two modules.
The final objective of this invention is to provide new features for hardware base implementation. The IPSec Core allows the processing of the bundled SA case. The sequence controller continues the processes for the bundled SA without moving the processed results regarding the previous SA. Because the IPSec Core allows an early verification of the inbound packet, it does not need to perform the verification after the finish of decryption operation. Finally, the IPSec Core does not need an additional context to have crypto operation done.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will become more fully understood from the detailed description given hereinbelow illustration only, and thus are not limitative of the present invention, and wherein:
FIG. 1 is a block diagram of a conventional IPSec system structure;
FIG. 2 is an conventional IPSec processor with an embedded CPU;
FIG. 3 is a traditional pipeline concept;
FIG. 4 is a block diagram of an inbound or outbound IPSec processor according to one preferred embodiment of the present invention;
FIG. 5 is a block diagram of the IPSec Core of the preferred embodiment of the present invention in FIG. 4; and
FIG. 6 is a function block of the Control Unit according to the preferred embodiment of the present invention shown in FIG. 5.
DETAILED DESCRIPTION OF THE INVENTION
The present invention will be apparent from the following detailed description, which proceeds with reference to the accompanying drawings, wherein the same references relate to the same elements.
The following discussion assumes that the reader is familiar with IPSec protocols. For a basic introduction of the IPSec, the reader is directed to a text written by William Stallings and entitled “Cryptography and network security,” published by Prentice Hall.
To increase the IPSec performance, one has to switch as many functions as possible from software implementation to hardware implementation. An all-hardware solution, which does even not include a CPU in it, will give the best performance. A new architecture with pipeline and parallel processing techniques is essential to enhance the performance. In addition to the performance, one has also to consider the cost and the ease of integration. Where, and how to use those two techniques make it a big difference.
The IPSec processor consists of an inbound IPSec processor and an outbound IPSec processor. FIG. 4 shows the block diagram of the inbound or outbound IPSec processor. The inbound or outbound IPSec processor consists of a Parser 400, a Classification unit 410, a Database Manager 420, a Database 430, an External IN Buffer 440, an External OUT Buffer 450, and several IPSec Cores 460. Note that Database 430 includes SAD (security associate database) and SPD (security policy database). The Parser 400 parses parameters from the input packet data, and forwards those parameters to the Classification unit 410. The Classification unit 410 looks up a policy with those parameters, deciding to discard, bypass, or apply the IPSec processing. The associated packet, stored in the External IN Buffer 440, is neglected for the “discard” case. That packet is bypassed to the External OUT buffer 450 for the “bypass” case. Finally, that packet and its associated SA are forwarded from the External IN Buffer 440 and database respective to one of IPSec Cores 460 for the “applied” case. Packets stored in the External IN Buffer 440, whose output is paged to several IPSec Cores 460. The External OUT Buffer 450 receives outputs of individual IPSec Cores 460 for external access.
In addition, a Database Manager 420 is used to maintain the security policy database (SPD) and the security association database (SAD).
A packet is processed in the sequence of: parsing, classification, transferring packet/SA data to an IPSec Core 460. The IPSec Core 460 takes care of packet input, pre_operation, IPSec operation, post_operation, packet output, and data buffering. Packets are distributed to IPSec cores 460 as soon as they are available so that those packets can be processed in parallel. A packet will be processed according to its given SA(s). The processed packets are delivered to the External OUT Buffer 450. The delivery follows the “First come first serve” principle. For a bundle-SA case, a processed packet can outputted only after the process, regarding all the bundled SAs is done.
The IPSec Core 460 has a simple IO interface; it contains two input ports for packet input and the other for SA input and one output port for processed packet output. The inputs and output are regular synchronous IO design. It is very easy to duplicate the IPSec Cores 460 and therefore able to enhance the performance, due to a simple IO interface and easy access timings.
FIG. 5 shows the block diagram of the IPSec Core 460 in FIG. 4. The IPSec Core 460 is composed of an Encryption Engine 500, an Authentication Engine 510, a Device unit 520, an Output FIFO 530, two buffers—Buffer A 540 a and Buffer B 540 b, two MUXes-MUX A 550 a and MUX B 550 b, and a Control Unit 560. The Device 520 unit responds for checksum calculation, random number generation, mutable bits calculation, length calculations, reference pointer calculations, temp information storage . . . and so on. The Control Unit 560 controls the programming sequence, which directs data transfers. There are three types of data transfers, from buffer to peripheral, from peripheral to buffer, and from buffer to buffer. Here the term peripheral means it could be an engine, an Output FIFO 530, or a Device 520. For from buffer to peripheral case, BUS A 570 a is used for data transfers from Buffer A 540 a to a peripheral. For from peripheral to buffer case, MUX A 550 a selects one path to write data from a peripheral to Buffer A 540 a. Finally for the from buffer to buffer case, data are read from Buffer A 540 a and written to the same address via BUS A 570 a and MUX A 550 a.
The Control Unit 560 conducts IPSec processing as follows: A packet together with its associated SA(s) is inlet into Buffer A 540 a. The Control Unit 560 then conducts packet forming (header making, trailer making, and form an IPSec packet) according to the acquired SA information. A formed packet is then delivered to the Encryption Engine 500 or Authentication Engine 510. For AH mode, one has to perform muting on the IP header and option field. For ESP mode, part of the formed packet is delivered to the Encryption Engine 500 and/or Authentication Engine 510. The encrypted results are stored back to their original place. Packet output are going on thereafter. If both encryption and authentication are in need for processing a packet, the Authentication Engine 510 accesses the ciphered data, which have been stored in buffer. The packet data is kept in the buffer for waiting when the packet data needs authentication (encryption) but the Authentication Engine 510 (or Encryption Engine 500) is not available. Note that the sequence controller chains the encryption and the authentication operation together by controlling the data transfer from buffer to the Encryption engine and to the Authentication engine.
The Module B works in the same way that the Module A does. These two modules cooperate with each other to gain a higher performance. The cooperation retains the pipeline spirit. However, it does not act like the traditional pipeline. It may be more appropriate to call the cooperation “sharing”.
For the inbound service, one has to verify the packet to see if it is a fake one. Five parameters are used for verification, including protocol, source address, destination address, and port numbers. The formal three items are in the IP header and the last item is in the TCP/IP header. One got to decrypt the received packet, reducing to its original values, from which we can access those the five parameters for verification. For the traditional pipeline, one has to do the verification in the Post_Operation. In other words, one has wait until the whole decryption is done. Accordingly, the triple DES operation is the bottleneck of the whole process and packets may be as long as fifteen hundred bytes. This wastes a lot of time to operate on illegal packets. In our design, we can perform such a verification right after the decryption of the TCP/UDP header.
FIG. 6 shows the Control Unit 560 in FIG. 5. The Control Unit 560 is composed of eight sub-units. The spotted blocks are finite state machines, which control the processing order while the rectangular ones are individual control functions. Each control function uses a finite state machine to drive a DMA (Direct Memory Access) for data transferring. We call the spotted blocks sequence controllers. Each oval-shaped ones stands for a specific state, which will call one or two functions as indicated. There are five states, the Input State 610, Pre_Operation State 620, Operation State (Encryption 630 or Authentication 640), Post_Operation State 650, and Output State 660 for a sequence controller. Two Sequence controllers, the Control_A 600 a and Control_B 600 b share the rectangular-shaped functions with each other. We call it a sharing structure. The processing flow is described as below:
A packet is allowed to enter the IPSec Core only when one of the sequence controllers is in the Input State such that it can call the Input function. Packet data are guided to sit on the buffer.
Two packets data at most are allowed to stay in the IPSec Core at a time. Packet data stored on buffer go through the Pre_Operation, Operation and Post_Operation, and output in sequence. Any of these processes could serve the packet data following the “first come, first serve” principle. Two sequence controllers are similar to each other, except that one of them has an additional “Yield State”, such that two sequence controllers will not both go to the Input State at the power up moment.
If a packet demands an additional SA service for the bundle SA case, the packet has to experience additional Pre_Operation, Operation and Post_Operation. That packet can't be outputted until finishing all the processes associated with the last SA.
As soon as one sequence controller is using a function, the other one is not allowed to use that function. This structure allows one sequence controller calls Encryption 630 and the other calls Authentication 640 at the same time.
While the invention has been described by way of example and in terms of the preferred embodiment, it is to be understood that the invention is not limited to the disclosed embodiments. To the contrary, it is intended to cover various modifications and similar arrangements as would be apparent to those skilled in the art. Therefore, the scope of the appended claims should be accorded the broadest interpretation so as to encompass all such modifications and similar arrangements.

Claims (12)

1. An IPSec Core for executing IPSec processing, which comprises:
an Encryption Engine for encrypting part of formed packet data for outbound service or decrypting part of decapsulated packet data for the inbound service;
an Authentication Engine for authenticating the packet data or the processed packet data;
a Device unit for providing miscellaneous calculations to process the packet data or the processed packet data;
two modules, each of the module comprising:
a buffer for storing the packet data or the processed packet data;
a BUS for transferring the packet data or the processed packet data in the IPSec Core;
a multiplexer for selecting path for the packet data or the processed data to be transferred into the buffer from the Encryption Engine, the Authentication Engine, the Device unit, the buffer or the external source;
an Output FIFO for outputting the processed packet data; and
a Control Unit for controlling the IPSec processes, wherein the Control Unit further comprises:
two sequence controllers for controlling at least one processing sequence of the packet data or the processed packet data;
an Input controller for controlling the packet data, the processed packet data or the SA data being inputted to the IPSec Core;
a Pre_Operation controller for forming an IPSec Packet, part of that packet is used for crypto operation including the encryption, the authentication, or both the encryption and the authentication;
an Encryption controller for controlling the packet data or the processed packet data transferring to/from the Encryption Engine;
an Authentication controller for controlling the packet data or the processed packet data transferring to/from the Authentication Engine;
a Post_Operation controller for dealing with the processed packet data after the crypto operation; and
an Output controller for outputting the processed packet data.
2. The IPSec Core of claim 1, wherein the packet data is from the IN Buffer of the IPSec processor and the processed data means that the data have been processed by the Encryption Engine, the Authentication Engine or the Device unit.
3. The IPSec Core of claim 1, wherein the Encryption Engine and the Authentication Engine are independent of each other so that one can perform an encryption for a first packet data and an authentication for a second packet data at the same time within the IPSec processes.
4. The IPSec Core of claim 1, wherein the Device unit provides required information for a crypto operation so that no additional context is needed.
5. The IPSec Core of claim 1, wherein the buffers in the modules acts as an input data buffer, as a working buffer, and as an output buffer; the total buffer size is the same as if the buffers are moved to the External IN Buffer or the External OUT Buffer.
6. The IPSec Core of claim 1, wherein the BUSes could be merged into one for the two modules with a BUS data controller.
7. The IPSec Core of claim 1, wherein the two sequence controllers share the Input controller, the Pre_Operation controller, the Post_Operation controller, the Encryption controller, the Authentication controller, and the Output controller with each other, the two sequence controllers can not both call the same function at the same time.
8. The IPSec Core of claim 1, wherein the two sequence controllers run their own sequence, therefore, two different packet data can be processed at the same time; in addition, it allows that one of the sequence controllers calls encryption for a first packet and the other sequence controller calls authentication for a second packet.
9. The IPSec Core of claim 1, wherein the sequence controllers allow the processing of the bundled SA case, the processing sequence continues the processes for the bundled SA without moving the processed results of the previous SA and the whole processing is done when all the bundled SAs have been processed.
10. The IPSec Core of claim 1, wherein the sequence controllers allow an early verification of the packet data or the processed packet data, and do not need to perform the verification after the finish of the decryption operation.
11. The IPSec Core of claim 1, wherein the sequence controllers can call both the encryption and the authentication operations simultaneously and respectively for the different packet data.
12. The IPSec Core of claim 1, wherein the encryption controller and the authentication controller are designed to be able chained together by controlling the data transferred from buffer to the encryption engine and to the authentication engine; the transfer from buffer to the authentication engine steals the transfer cycle from buffer to the authentication engine.
US11/429,540 2002-08-21 2006-05-05 Apparatus and method for high speed IPSec processing Expired - Lifetime US7577833B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/429,540 US7577833B2 (en) 2002-08-21 2006-05-05 Apparatus and method for high speed IPSec processing

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/225,027 US20040039936A1 (en) 2002-08-21 2002-08-21 Apparatus and method for high speed IPSec processing
US11/429,540 US7577833B2 (en) 2002-08-21 2006-05-05 Apparatus and method for high speed IPSec processing

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/225,027 Division US20040039936A1 (en) 2002-08-21 2002-08-21 Apparatus and method for high speed IPSec processing

Publications (2)

Publication Number Publication Date
US20060265585A1 US20060265585A1 (en) 2006-11-23
US7577833B2 true US7577833B2 (en) 2009-08-18

Family

ID=31886934

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/225,027 Abandoned US20040039936A1 (en) 2002-08-21 2002-08-21 Apparatus and method for high speed IPSec processing
US11/429,540 Expired - Lifetime US7577833B2 (en) 2002-08-21 2006-05-05 Apparatus and method for high speed IPSec processing

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/225,027 Abandoned US20040039936A1 (en) 2002-08-21 2002-08-21 Apparatus and method for high speed IPSec processing

Country Status (2)

Country Link
US (2) US20040039936A1 (en)
TW (1) TW576066B (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9294503B2 (en) 2013-08-26 2016-03-22 A10 Networks, Inc. Health monitor based distributed denial of service attack mitigation
US20160182463A1 (en) * 2014-12-23 2016-06-23 Chandra Sekhar Suram Secure communication device and method
US9537886B1 (en) 2014-10-23 2017-01-03 A10 Networks, Inc. Flagging security threats in web service requests
US9584318B1 (en) 2014-12-30 2017-02-28 A10 Networks, Inc. Perfect forward secrecy distributed denial of service attack defense
US9621575B1 (en) 2014-12-29 2017-04-11 A10 Networks, Inc. Context aware threat protection
US9722918B2 (en) 2013-03-15 2017-08-01 A10 Networks, Inc. System and method for customizing the identification of application or content type
US9756071B1 (en) 2014-09-16 2017-09-05 A10 Networks, Inc. DNS denial of service attack protection
US9787581B2 (en) 2015-09-21 2017-10-10 A10 Networks, Inc. Secure data flow open information analytics
US9838425B2 (en) 2013-04-25 2017-12-05 A10 Networks, Inc. Systems and methods for network access control
US9848013B1 (en) 2015-02-05 2017-12-19 A10 Networks, Inc. Perfect forward secrecy distributed denial of service attack detection
US9900343B1 (en) 2015-01-05 2018-02-20 A10 Networks, Inc. Distributed denial of service cellular signaling
US9906422B2 (en) 2014-05-16 2018-02-27 A10 Networks, Inc. Distributed system to determine a server's health
US9912555B2 (en) 2013-03-15 2018-03-06 A10 Networks, Inc. System and method of updating modules for application or content identification
US10044582B2 (en) 2012-01-28 2018-08-07 A10 Networks, Inc. Generating secure name records
US10063591B1 (en) 2015-02-14 2018-08-28 A10 Networks, Inc. Implementing and optimizing secure socket layer intercept
US10187377B2 (en) 2017-02-08 2019-01-22 A10 Networks, Inc. Caching network generated security certificates
US10250475B2 (en) 2016-12-08 2019-04-02 A10 Networks, Inc. Measurement of application response delay time
US10341118B2 (en) 2016-08-01 2019-07-02 A10 Networks, Inc. SSL gateway with integrated hardware security module
US10382562B2 (en) 2016-11-04 2019-08-13 A10 Networks, Inc. Verification of server certificates using hash codes
US10397270B2 (en) 2017-01-04 2019-08-27 A10 Networks, Inc. Dynamic session rate limiter
US10469594B2 (en) 2015-12-08 2019-11-05 A10 Networks, Inc. Implementation of secure socket layer intercept
US10812348B2 (en) 2016-07-15 2020-10-20 A10 Networks, Inc. Automatic capture of network data for a detected anomaly

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7600131B1 (en) 1999-07-08 2009-10-06 Broadcom Corporation Distributed processing in a cryptography acceleration chip
US7191341B2 (en) 2002-12-18 2007-03-13 Broadcom Corporation Methods and apparatus for ordering data in a cryptography accelerator
US20040123120A1 (en) * 2002-12-18 2004-06-24 Broadcom Corporation Cryptography accelerator input interface data handling
US7568110B2 (en) * 2002-12-18 2009-07-28 Broadcom Corporation Cryptography accelerator interface decoupling from cryptography processing cores
US20040123123A1 (en) * 2002-12-18 2004-06-24 Buer Mark L. Methods and apparatus for accessing security association information in a cryptography accelerator
US7434043B2 (en) * 2002-12-18 2008-10-07 Broadcom Corporation Cryptography accelerator data routing unit
CN100499451C (en) * 2003-08-26 2009-06-10 中兴通讯股份有限公司 Network communication safe processor and its data processing method
US7543142B2 (en) * 2003-12-19 2009-06-02 Intel Corporation Method and apparatus for performing an authentication after cipher operation in a network processor
US7512945B2 (en) * 2003-12-29 2009-03-31 Intel Corporation Method and apparatus for scheduling the processing of commands for execution by cryptographic algorithm cores in a programmable network processor
US20050149744A1 (en) * 2003-12-29 2005-07-07 Intel Corporation Network processor having cryptographic processing including an authentication buffer
US7529924B2 (en) * 2003-12-30 2009-05-05 Intel Corporation Method and apparatus for aligning ciphered data
US7685434B2 (en) * 2004-03-02 2010-03-23 Advanced Micro Devices, Inc. Two parallel engines for high speed transmit IPsec processing
US7885405B1 (en) * 2004-06-04 2011-02-08 GlobalFoundries, Inc. Multi-gigabit per second concurrent encryption in block cipher modes
GB2417655B (en) * 2004-09-15 2006-11-29 Streamshield Networks Ltd Network-based security platform
US7783880B2 (en) * 2004-11-12 2010-08-24 Microsoft Corporation Method and apparatus for secure internet protocol (IPSEC) offloading with integrated host protocol stack management
US20060136717A1 (en) 2004-12-20 2006-06-22 Mark Buer System and method for authentication via a proximate device
US8295484B2 (en) 2004-12-21 2012-10-23 Broadcom Corporation System and method for securing data from a remote input device
KR100981963B1 (en) * 2007-07-06 2010-09-13 한국전자통신연구원 Node authentication and noce operation methods within service and asccess networks for bundle authentication bewteen service and access networks in NGN environment
US8191134B1 (en) * 2008-09-29 2012-05-29 Sonicwall, Inc. Lockless distributed IPsec processing
CN102780625B (en) * 2012-07-30 2014-12-17 成都卫士通信息产业股份有限公司 Method and device for realizing internet protocol security (IPSEC) virtual private network (VPN) encryption and decryption processing
CN103716336A (en) * 2014-01-23 2014-04-09 国家电网公司 Communication system based on electric power dependable computing platform communication security and method
CN105260378A (en) * 2015-09-08 2016-01-20 上海上讯信息技术股份有限公司 Database audit method and device
US11477176B1 (en) * 2021-05-27 2022-10-18 Microsoft Technology Licensing, Llc Throughput for a single VPN connection using multiple processing cores

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6157955A (en) 1998-06-15 2000-12-05 Intel Corporation Packet processing system including a policy engine having a classification unit
US20010042204A1 (en) 2000-05-11 2001-11-15 David Blaker Hash-ordered databases and methods, systems and computer program products for use of a hash-ordered database
US20020087708A1 (en) 2000-12-22 2002-07-04 Low Arthur John Method of processing serial data,serial data processor and architecture therefore
US20020188839A1 (en) * 2001-06-12 2002-12-12 Noehring Lee P. Method and system for high-speed processing IPSec security protocol packets
US20030196081A1 (en) 2002-04-11 2003-10-16 Raymond Savarda Methods, systems, and computer program products for processing a packet-object using multiple pipelined processing modules
US20030200456A1 (en) * 2002-04-19 2003-10-23 International Business Machines Corp. IPSec network adapter verifier
US20040008711A1 (en) 2002-07-09 2004-01-15 Lahti Gregg D. System and method for anti-replay processing of a data packet
US6708218B1 (en) 2000-06-05 2004-03-16 International Business Machines Corporation IpSec performance enhancement using a hardware-based parallel process
US6941366B2 (en) 2001-01-17 2005-09-06 International Business Machines Corporation Methods, systems and computer program products for transferring security processing between processors in a cluster computing environment

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6157955A (en) 1998-06-15 2000-12-05 Intel Corporation Packet processing system including a policy engine having a classification unit
US20010042204A1 (en) 2000-05-11 2001-11-15 David Blaker Hash-ordered databases and methods, systems and computer program products for use of a hash-ordered database
US6708218B1 (en) 2000-06-05 2004-03-16 International Business Machines Corporation IpSec performance enhancement using a hardware-based parallel process
US20020087708A1 (en) 2000-12-22 2002-07-04 Low Arthur John Method of processing serial data,serial data processor and architecture therefore
US6941366B2 (en) 2001-01-17 2005-09-06 International Business Machines Corporation Methods, systems and computer program products for transferring security processing between processors in a cluster computing environment
US20020188839A1 (en) * 2001-06-12 2002-12-12 Noehring Lee P. Method and system for high-speed processing IPSec security protocol packets
US7194766B2 (en) * 2001-06-12 2007-03-20 Corrent Corporation Method and system for high-speed processing IPSec security protocol packets
US20030196081A1 (en) 2002-04-11 2003-10-16 Raymond Savarda Methods, systems, and computer program products for processing a packet-object using multiple pipelined processing modules
US20030200456A1 (en) * 2002-04-19 2003-10-23 International Business Machines Corp. IPSec network adapter verifier
US20040008711A1 (en) 2002-07-09 2004-01-15 Lahti Gregg D. System and method for anti-replay processing of a data packet

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10044582B2 (en) 2012-01-28 2018-08-07 A10 Networks, Inc. Generating secure name records
US10594600B2 (en) 2013-03-15 2020-03-17 A10 Networks, Inc. System and method for customizing the identification of application or content type
US10708150B2 (en) 2013-03-15 2020-07-07 A10 Networks, Inc. System and method of updating modules for application or content identification
US9722918B2 (en) 2013-03-15 2017-08-01 A10 Networks, Inc. System and method for customizing the identification of application or content type
US9912555B2 (en) 2013-03-15 2018-03-06 A10 Networks, Inc. System and method of updating modules for application or content identification
US9838425B2 (en) 2013-04-25 2017-12-05 A10 Networks, Inc. Systems and methods for network access control
US10581907B2 (en) 2013-04-25 2020-03-03 A10 Networks, Inc. Systems and methods for network access control
US10091237B2 (en) 2013-04-25 2018-10-02 A10 Networks, Inc. Systems and methods for network access control
US10187423B2 (en) 2013-08-26 2019-01-22 A10 Networks, Inc. Health monitor based distributed denial of service attack mitigation
US9294503B2 (en) 2013-08-26 2016-03-22 A10 Networks, Inc. Health monitor based distributed denial of service attack mitigation
US9860271B2 (en) 2013-08-26 2018-01-02 A10 Networks, Inc. Health monitor based distributed denial of service attack mitigation
US9906422B2 (en) 2014-05-16 2018-02-27 A10 Networks, Inc. Distributed system to determine a server's health
US10686683B2 (en) 2014-05-16 2020-06-16 A10 Networks, Inc. Distributed system to determine a server's health
US9756071B1 (en) 2014-09-16 2017-09-05 A10 Networks, Inc. DNS denial of service attack protection
US9537886B1 (en) 2014-10-23 2017-01-03 A10 Networks, Inc. Flagging security threats in web service requests
US20160182463A1 (en) * 2014-12-23 2016-06-23 Chandra Sekhar Suram Secure communication device and method
US9516065B2 (en) * 2014-12-23 2016-12-06 Freescale Semiconductor, Inc. Secure communication device and method
US10505964B2 (en) 2014-12-29 2019-12-10 A10 Networks, Inc. Context aware threat protection
US9621575B1 (en) 2014-12-29 2017-04-11 A10 Networks, Inc. Context aware threat protection
US9584318B1 (en) 2014-12-30 2017-02-28 A10 Networks, Inc. Perfect forward secrecy distributed denial of service attack defense
US9900343B1 (en) 2015-01-05 2018-02-20 A10 Networks, Inc. Distributed denial of service cellular signaling
US9848013B1 (en) 2015-02-05 2017-12-19 A10 Networks, Inc. Perfect forward secrecy distributed denial of service attack detection
US10834132B2 (en) 2015-02-14 2020-11-10 A10 Networks, Inc. Implementing and optimizing secure socket layer intercept
US10063591B1 (en) 2015-02-14 2018-08-28 A10 Networks, Inc. Implementing and optimizing secure socket layer intercept
US9787581B2 (en) 2015-09-21 2017-10-10 A10 Networks, Inc. Secure data flow open information analytics
US10469594B2 (en) 2015-12-08 2019-11-05 A10 Networks, Inc. Implementation of secure socket layer intercept
US10812348B2 (en) 2016-07-15 2020-10-20 A10 Networks, Inc. Automatic capture of network data for a detected anomaly
US10341118B2 (en) 2016-08-01 2019-07-02 A10 Networks, Inc. SSL gateway with integrated hardware security module
US10382562B2 (en) 2016-11-04 2019-08-13 A10 Networks, Inc. Verification of server certificates using hash codes
US10250475B2 (en) 2016-12-08 2019-04-02 A10 Networks, Inc. Measurement of application response delay time
US10397270B2 (en) 2017-01-04 2019-08-27 A10 Networks, Inc. Dynamic session rate limiter
USRE47924E1 (en) 2017-02-08 2020-03-31 A10 Networks, Inc. Caching network generated security certificates
US10187377B2 (en) 2017-02-08 2019-01-22 A10 Networks, Inc. Caching network generated security certificates

Also Published As

Publication number Publication date
US20040039936A1 (en) 2004-02-26
US20060265585A1 (en) 2006-11-23
TW576066B (en) 2004-02-11

Similar Documents

Publication Publication Date Title
US7577833B2 (en) Apparatus and method for high speed IPSec processing
US7266703B2 (en) Single-pass cryptographic processor and method
US7360076B2 (en) Security association data cache and structure
US7017042B1 (en) Method and circuit to accelerate IPSec processing
JP3990565B2 (en) Security communication packet processing apparatus and method
DE60034453T2 (en) DISTRIBUTED PROCESSING IN A CRYPTOGRAPHY ACCELERATION SCHIP
DE112005000523B4 (en) Two parallel machines for high-speed transmission IPSEC processing
US8468337B2 (en) Secure data transfer over a network
US20100169636A1 (en) System and Method For a Secure I/O Interface
US8189591B2 (en) Methods, systems and computer program products for packet ordering for parallel packet transform processing
US20020188839A1 (en) Method and system for high-speed processing IPSec security protocol packets
US20050149744A1 (en) Network processor having cryptographic processing including an authentication buffer
JP2008035300A (en) Packet encryption processor and packet encryption processing method
CN1486555A (en) Packet encrypton system and method
US12010209B2 (en) Memory-efficient hardware cryptographic engine
US7529924B2 (en) Method and apparatus for aligning ciphered data
US20050198498A1 (en) System and method for performing cryptographic operations on network data
CN113810397A (en) Protocol data processing method and device
US7603549B1 (en) Network security protocol processor and method thereof
Cheung et al. Implementation of an FPGA based accelerator for virtual private networks
US7564976B2 (en) System and method for performing security operations on network data
Ha et al. ASIC design of IPSec hardware accelerator for network security
EP2558946A1 (en) Method and system for cryptographic processing core
US20050138366A1 (en) IPSec acceleration using multiple micro engines
US20060013397A1 (en) Channel adapter managed trusted queue pairs

Legal Events

Date Code Title Description
STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: A10 NETWORKS, INC.-TAIWAN, TAIWAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INDUSTRIAL TECHNOLOGY RESEARCH INSTITUTE;REEL/FRAME:026062/0666

Effective date: 20110318

AS Assignment

Owner name: A10 NETWORKS, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:A10 NETWORKS, INC.-TAIWAN;REEL/FRAME:026291/0378

Effective date: 20110510

FEPP Fee payment procedure

Free format text: PAT HOLDER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: LTOS); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

REFU Refund

Free format text: REFUND - PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: R1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: A10 NETWORKS, INC., CALIFORNIA

Free format text: CHANGE OF ADDRESS;ASSIGNOR:A10 NETWORKS, INC.;REEL/FRAME:031075/0954

Effective date: 20130822

AS Assignment

Owner name: ROYAL BANK OF CANADA, AS COLLATERAL AGENT, CANADA

Free format text: SECURITY INTEREST;ASSIGNOR:A10 NETWORKS, INC.;REEL/FRAME:031485/0284

Effective date: 20130930

FEPP Fee payment procedure

Free format text: PAT HOLDER NO LONGER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: STOL); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12